A new threat actor dubbed “Starry Addax” is targeting human rights activists associated with the Sahrawi Arab Democratic Republic (SADR) cause in North Africa using a novel mobile malware named “FlexStarling.”

Starry Addax's modus operandi involves conducting phishing attacks, enticing victims into installing malicious Android apps that are disguised as legitimate tools. The apps impersonate the Sahara Press Service, serving as a means to deliver malware onto mobile devices, compromising sensitive information.

The infrastructure utilized by Starry Addax, including domains such as ondroid[.]site and ondroid[.]store, indicates a focus on both Android and Windows users.

For Windows-based targets, Starry Addax uses a different tactic, employing credential-harvesting web pages that masquerade as login portals for popular media web sites aiming to trick victims into giving up their credentials to gain unauthorized access to their accounts.

According to Cisco’s Talos threat research team, Starry Addax has been active since January 2024, orchestrating spear-phishing campaigns aimed at individuals sympathetic to the SADR cause.

Starry Addax's operation exhibits a high level of sophistication and a concerted effort to evade detection. The use of FlexStarling, a malware app equipped with advanced features and a Firebase-based command-and-control (C2) infrastructure, demonstrates the threat actor's determination to remain undetected while extracting valuable information from compromised devices.

FlexStarling's functionality includes requesting extensive permissions from the Android operating system, enabling the malware to extract sensitive data from infected devices. The malware employs evasion techniques, such as checking for emulation environments or analysis tools, to thwart detection efforts and ensure its persistence on compromised devices.

The malware seeks permissions to manage external storage areas on the device, granting the threat actor the ability to manipulate files and gather additional intelligence. By generating MD5 hash strings of command codes and comparing them against hardcoded hashes, the malware effectively communicates with the C2 server and executes commands without raising suspicion.